Information Security News | AI Aggregator

Australian airline Qantas reported a cyberattack that compromised data of six million customers, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The breach was detected on June 30, and Qantas has contained the incident, assuring that its systems remain secure. The airline is investigating the extent of the data theft and will communicate with affected customers. The specific platform involved has not been disclosed, but Qantas uses Salesforce and Genesys for its contact centers.

Qantas experienced a data breach affecting up to six million customer profiles due to a cyber attack on a third-party customer service platform. Detected on June 30, the breach involved names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Qantas has assured that sensitive information like passport and credit card details were not compromised. The airline has notified the Australian Federal Police and other authorities, and has set up a support line for concerned customers.

On July 1, 2025, OFAC sanctioned Aeza Group LLC, a Russia-based bulletproof hosting provider, for facilitating ransomware attacks and cybercrime. The sanctions include a TRON cryptocurrency address linked to Aeza's payment infrastructure, which obscured customer deposits. The address received over $350,000 in crypto, indicating connections to illicit activities, including an infostealer vendor. This action targets the infrastructure enabling cybercrime, emphasizing the U.S. government's strategy to disrupt cybercriminal supply chains.

The U.S. Treasury Department sanctioned the Russian bulletproof hosting service Aeza Group for facilitating ransomware and drug trafficking. Aeza Group provided cybercriminals with IP addresses and servers to evade law enforcement. CEO Arsenii Penzev and three other leaders were sanctioned, with some arrested in Russia. The group allegedly supported ransomware gangs like BianLian and the BlackSprut darknet marketplace. This action is part of a broader effort to dismantle cybercriminal infrastructure.

Federal authorities sanctioned Aeza Group, a Russian bulletproof hosting provider, for supporting ransomware and malware operations, including BianLian and infostealers like RedLine. The Treasury Department's action follows global cybercrime crackdowns, targeting U.S. defense and tech firms. Four individuals, including part owners Penzev and Bozoyan, were sanctioned. The sanctions extend to affiliated companies in the UK and Russia, continuing efforts against cybercriminal infrastructure.

AT&T launched its Wireless Account Lock feature to enhance protection against SIM swapping and account takeovers. Accessible via the company’s app, it restricts changes to billing info, authorized users, phone numbers, and device upgrades. Notifications are sent for any changes. A variant is available for prepaid customers. Corporate plans have a Business Account Lock for administrators. Despite this, experts emphasize the need for additional security measures like two-factor authentication to combat identity theft.

AT&T has introduced the "Wireless Lock" feature to safeguard customers against SIM swap attacks by preventing account changes and number porting while enabled. This feature is now available to all customers, having been in limited release for nearly a year. SIM swap attacks allow cybercriminals to hijack phone numbers, compromising sensitive accounts. The feature also secures billing information and authorized users. Competitors like Verizon have offered similar protections for years.

The International Criminal Court (ICC) is managing a "sophisticated" cyber intrusion that coincided with a NATO summit on cyber defense. ICC spokesperson Fadi El Abdallah stated that all necessary measures for business continuity are in place. Specific details about the attack's intent and impact on confidential data remain undisclosed. The ICC has a history of espionage attempts and was previously compromised by a cyberattack affecting Wi-Fi access at its headquarters nearly two years ago.

The International Criminal Court (ICC) confirmed it experienced a sophisticated cyberattack, detected through its alert system. The attack has been contained, but details about the threat actors or the attack's nature remain undisclosed. The ICC, under scrutiny for indicting Israeli PM Benjamin Netanyahu for alleged war crimes, has faced increased security concerns. Chief prosecutor Karim Khan emphasized the need for enhanced security measures to prevent future incidents.

The International Criminal Court (ICC) is investigating a new "sophisticated" cyberattack discovered last week. This incident, the second in recent years, was contained through the ICC's cybersecurity measures. The nature and impact of the attack remain unclear, with no confirmation of data exfiltration. The ICC previously reported a September 2023 breach aimed at cyber espionage, highlighting ongoing security concerns and persistent threats to its systems.

The International Criminal Court (ICC) reported a “sophisticated” cyber-attack last week, which has been contained. The ICC is conducting a Court-wide impact analysis and taking steps to mitigate the incident's effects. This marks the second such incident for the ICC, with the previous one occurring in 2023, and both incidents are believed to have espionage objectives. The ICC's high-profile investigations make it a target for nation-state actors. Continued support is sought to uphold its mandate of justice.

The International Criminal Court (ICC) reported a "sophisticated" cyberattack, marking the second incident in two years. The attack was detected and contained, though specific effects and details were not disclosed. The ICC previously faced a similar attack in 2023 linked to its investigations into Russia's actions in Ukraine. The court emphasized the need for public awareness and support to maintain its mandate of justice amid ongoing security concerns and geopolitical tensions.

The U.S. Department of Justice has taken action against a North Korean operation involving remote IT workers infiltrating U.S. tech companies to fund the regime's nuclear program. Zhenxing “Danny” Wang was arrested for running a scheme that generated over $5 million. Eight others, including six Chinese and two Taiwanese nationals, were indicted for various cyber crimes. The operation caused $3 million in damages and involved stealing sensitive data, including from a defense contractor. The FBI seized 137 laptops and multiple financial accounts during the investigation.

The Department of Justice revealed actions against North Korean IT worker schemes, where citizens posed as remote workers to siphon funds to the regime and access sensitive data. U.S. facilitators, including Zhenxing and Kejia Wang, helped over 80 individuals secure jobs at Fortune 500 companies, resulting in over $3 million in costs. Authorities seized 70 laptops and 17 websites linked to the operation. Additionally, four North Koreans were charged with stealing over $900,000 in cryptocurrency.

The DOJ has raided 29 "laptop farms" across 16 states linked to a North Korean IT worker scheme, resulting in three indictments, one arrest, and the seizure of 29 financial accounts and 21 websites. The scheme allowed North Koreans to work illegally for over 100 U.S. companies, accessing sensitive data, including ITAR data. Zhenxing Wang, a U.S. national, faces charges for facilitating the scheme, which generated $5 million for North Korea. The investigation is ongoing, with potential for more arrests.

The Department of Justice announced a crackdown on a North Korean scheme involving the theft of identities of over 80 Americans for remote tech jobs. Two Americans, Kejia and Zhenxing Wang, were indicted, with Zhenxing arrested. Authorities searched 29 laptop farms across 16 states, seizing around 200 computers and 29 financial accounts. The Wangs allegedly accessed personal details of over 700 Americans, using stolen documents to create fake identities for North Korean workers.

The US Department of Justice disrupted multiple North Korean IT worker scams, uncovering over 100 fake employees using stolen identities to draw salaries and steal data. One suspect, Zhenxing "Danny" Wang, allegedly funneled $5 million to North Korea via fake businesses. Another case involved four North Koreans stealing over $900,000 in virtual currency while posing as remote developers. Law enforcement seized 137 laptops from 29 suspected laptop farms across several states. Indictments include charges of wire fraud and identity theft.

The U.S. Department of Justice arrested Zhenxing "Danny" Wang for facilitating a North Korean IT worker scheme, seizing $7.74 million in assets. North Korean actors used stolen identities to secure jobs at over 100 U.S. companies, accessing sensitive data and stealing funds. Microsoft suspended 3,000 accounts linked to this operation, which exploited AI and fake profiles to appear legitimate. The scheme poses significant risks to national security and highlights the need for enhanced hiring safeguards.

The U.S. has intensified efforts against North Korea's fake IT worker schemes, revealing actions on Monday. U.S.-based facilitators, including Kejia Wang and Zhenxing Wang, compromised over 80 identities and infiltrated 100+ companies from 2021 to October 2024. This led to data and source code breaches at an AI defense contractor in California. Additionally, four North Korean nationals were indicted for laundering over $900,000 in cryptocurrency from firms in Atlanta and Serbia. The FBI continues to adapt to this evolving threat.

The U.S. Department of Justice disrupted a North Korean scheme involving remote IT workers across 16 states, generating over $5 million in illicit revenue. Two individuals, Kejia and Zhenxing Wang, compromised identities of over 80 U.S. citizens to facilitate this. The operation accessed sensitive U.S. military tech, with multiple searches at 29 “laptop farms” resulting in the seizure of 200 computers and 21 fake websites. Four North Korean nationals remain at large, with a $5 million reward for information on their whereabouts.

North Korean hackers are increasingly using fake job schemes to infiltrate US tech companies, employing AI tools to conceal their identities. Microsoft recommends stricter vetting and policies against unauthorized IT tools. The US government has arrested Zhenxing “Danny” Wang and indicted eight others for wire fraud and identity theft, with the operation, dubbed “Operation DreamJob,” netting over $5 million. These hackers access sensitive data, sometimes extorting companies after gaining employment.

North Korean hackers have expanded their remote IT worker scam globally, targeting organizations outside the U.S. Microsoft reports that these actors, operating from Russia and China, use AI manipulation and social engineering to apply for IT roles, funneling payments back to the North Korean government. The threat actor “Jasper Sleet” has been linked to over 3,000 banned Microsoft accounts. Recommendations include enhanced screening of applicants to detect AI manipulation and robust identity verification processes.

U.S. defense contractors are urged to stay vigilant against potential Iranian cyberattacks amid Middle East unrest, according to a joint advisory from CISA, FBI, NSA, and the Department of Defense Cyber Crime Center. While no coordinated cyber campaign from Iran has been detected, the advisory warns that Iranian-affiliated actors may target U.S. networks, particularly those linked to Israeli defense firms. Concerns about retaliatory attacks on critical infrastructure sectors like water and aviation are heightened.

U.S. cybersecurity agencies have issued a warning about increasing Iranian cyberattacks targeting defense, operational technology (OT) networks, and critical infrastructure. They emphasize the risk to Defense Industrial Base companies, particularly those linked to Israeli firms. Attackers exploit unpatched software and weak passwords. Recommendations include disconnecting OT assets from the internet, enforcing strong passwords and multi-factor authentication, and monitoring access logs. Tools like CISA's Cyber Hygiene program can help identify vulnerabilities.

On June 30, U.S. security agencies warned of potential Iranian cyberattacks on critical infrastructure, specifically DDoS and ransomware incidents. The advisory, issued by the NSA, CISA, FBI, and DC3, highlighted the IRGC's history of targeting poorly secured networks. Experts recommend enhanced security measures, including multi-factor authentication, microsegmentation, and monitoring of administrative credentials. The warning emphasizes vigilance, especially during geopolitical tensions, as Iranian groups may retaliate against U.S. interests.

U.S. cyber agencies, including the FBI and NSA, issued a warning about potential Iranian cyberattacks on critical infrastructure, particularly targeting Defense Industrial Base companies linked to Israel. While no ongoing campaign is detected, organizations in energy, water, and healthcare sectors should enhance defenses. Iranian hackers exploit unpatched vulnerabilities and use DDoS attacks, ransomware, and data wipers. Agencies recommend isolating systems, using strong passwords, enabling MFA, and monitoring for unusual activity.

The Swiss government has confirmed that sensitive data from various federal offices was stolen in a ransomware attack on the third-party organization Radix, which occurred on June 16. The Sarcoma ransomware group, which emerged in October 2024, compromised Radix's systems and leaked approximately 1.3TB of data on the dark web on June 29. Radix is notifying affected individuals and advises them to remain vigilant against potential phishing attempts. There is no evidence that partner organizations' data was compromised.

Ransomware group Sarcoma breached Radix, a non-profit in the health sector, leading to Swiss government files being posted on the dark web. Multiple federal agencies were affected, but Radix stated that attackers did not access Federal Administration systems. Radix confirmed a data leak on June 29, 2025, and has notified affected individuals. The company claims to have intact backups and is not pursuing ransom payment, as the stolen data has already been leaked. An investigation is ongoing.

Europol announced the dismantling of a cryptocurrency fraud network that laundered €460 million ($540 million) from over 5,000 victims. The operation, supported by law enforcement from multiple countries, led to the arrest of five suspects on June 25, 2025. The fraudsters employed a "pig butchering" scheme, using social engineering to build trust before convincing victims to invest in fake platforms. The operation involved complex money laundering through a network based in Hong Kong, exploiting legal loopholes and synthetic identities.

Spanish police arrested five individuals linked to a $542 million cryptocurrency investment fraud scheme that defrauded over 5,000 victims globally. The suspects, based in Madrid and the Canary Islands, allegedly operated a network using a Hong Kong company to lure victims into fake crypto deals. The operation, named Borrelli, revealed a complex system of shell companies and false identities to launder funds. The investigation began in 2023 and is ongoing, highlighting the rising threat of cryptocurrency scams.

The Canadian government has ordered Hikvision Canada Inc. to cease operations due to national security risks identified in a review under the Investment Canada Act. The decision, announced by Minister Mélanie Joly, prohibits government organizations from purchasing Hikvision equipment. The review was based on information from Canada's security community, though specific findings were not disclosed. Hikvision condemned the ruling as politically motivated, asserting it lacks factual basis and transparency.

Canada has ordered Hikvision to cease operations due to national security risks identified by its security and intelligence community. Minister Mélanie Joly emphasized the importance of this decision, banning government agencies from using Hikvision products. The government is also reviewing existing Hikvision installations. Hikvision criticized the decision as lacking factual basis and transparency, asserting it cooperated during the review. The company has operated in Canada since 2014, claiming to have created thousands of jobs.

Hikvision's Canadian subsidiary received an operation cessation order from the Canadian government due to security risks associated with its products, which were deemed a threat to national security. The government is reviewing existing properties to prevent the use of legacy Hikvision products. Hikvision criticized the decision, claiming it lacks transparency and is influenced by geopolitical tensions rather than cybersecurity merits. This action coincides with ongoing U.S. court debates regarding the FCC's order against Chinese-owned technology.

A security flaw in Bluetooth headphones and earbuds from brands like Sony, JBL, and Bose allows attackers to hijack devices, eavesdrop, and steal contact information. Identified by ERNW, vulnerabilities in Airoha's Bluetooth SoC enable manipulation without pairing. Affected models include Sony WH-1000XM6 and Jabra Elite 8 Active. Airoha has released a fix, but no firmware updates are confirmed yet. Users should disable Bluetooth in public and await updates to mitigate risks.

A trio of Bluetooth chipset vulnerabilities in Airoha systems could enable eavesdropping and data theft from various audio devices, including 29 models of earbuds and headphones. The flaws include CVE-2025-20700 (medium severity, missing GATT service authentication), CVE-2025-20701 (medium severity, missing Bluetooth BR/EDR bug), and CVE-2025-20702 (high severity, custom protocol flaw). A proof-of-concept exploit demonstrated potential remote code execution and unauthorized phone call capabilities, requiring significant expertise and proximity.

Security researchers identified three medium-severity vulnerabilities in Airoha Bluetooth SoCs used in 29 devices from manufacturers like Bose, Sony, and Jabra. The flaws, tracked as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, could allow eavesdropping, call history theft, and malware deployment. Exploiting these vulnerabilities requires significant technical skill and proximity to the target device. Airoha has released an updated SDK with mitigations, prompting manufacturers to develop patches.

The Sinaloa drug cartel employed a hacker to track and eliminate FBI informants, as revealed in a recent audit. The hacker exploited mobile devices and accessed Mexico City's camera system to monitor individuals, including an FBI official. This information was used to intimidate and kill potential witnesses. The audit highlighted the FBI's inadequate response to the Ubiquitous Technical Surveillance (UTS) threat, citing disjointed management and insufficient training, prompting recommendations for improvement.

In 2018, a hacker for the Sinaloa drug cartel spied on an FBI official in Mexico City, aiming to identify informants for targeting. The Department of Justice's report revealed the hacker accessed the official's phone data and Mexico City's camera system to track movements and meetings. This information was allegedly used to intimidate or kill potential witnesses. The incident occurred during the FBI's investigation leading to El Chapo's arrest, highlighting the cartel's advanced surveillance capabilities.

The Sinaloa drug cartel hacked the phone of an FBI official to track informants, as reported by the Justice Department. A hired hacker exploited the official's phone number to access call logs and geolocation data, using Mexico City's camera system for surveillance. This incident, from 2018, exemplifies the FBI's ongoing challenges with "ubiquitous technical surveillance" (UTS), which has become easier due to advancements in hacking tools, posing an "existential" threat to investigations.

In 2018, the Sinaloa drug cartel hired a hacker to track and kill FBI informants, as revealed by the U.S. Department of Justice. The hacker exploited an FBI assistant legal attache's phone number to monitor calls and pinpoint locations, and accessed surveillance cameras to identify individuals the attache met. This information was used to threaten or kill witnesses. The audit emphasized the need for the FBI to assess vulnerabilities due to advancements in data mining and network exploitation.

The FBI has issued a warning about cybercriminals impersonating health fraud investigators to steal sensitive information from individuals. These scammers send emails and texts disguised as communications from legitimate health insurers, pressuring victims to disclose personal and health data. The FBI advises caution with unsolicited messages, recommends strong passwords and Multi-Factor Authentication, and suggests verifying any requests for information directly with health insurance providers.

Scammers are impersonating healthcare fraud investigators to steal sensitive personal and financial data, according to an FBI alert. They send phishing emails and texts to patients, aiming to obtain protected health information and financial details. The FBI warns that this tactic poses a significant threat, as some individuals have already fallen victim. Recommendations include being cautious with unsolicited communications, using strong passwords, and employing antivirus software to protect against potential malware.

A critical vulnerability in Citrix NetScaler, tracked as CVE-2025-5777, is being actively exploited, allowing attackers to extract session tokens and impersonate users, bypassing multifactor authentication. This flaw, related to insufficient input validation, raises concerns due to its potential link to financially motivated ransomware actors and nation-state groups. Citrix has released guidance for customers and confirmed a separate zero-day vulnerability, CVE-2025-6543, is also being exploited.

Over 1,200 Citrix NetScaler ADC and Gateway appliances are unpatched against CVE-2025-5777, a critical authentication bypass vulnerability allowing attackers to hijack user sessions. Citrix advised customers to terminate active sessions and upgrade appliances. Shadowserver found over 2,100 vulnerable devices, while ReliaQuest reported medium confidence in ongoing exploitation attempts. Additionally, another critical flaw, CVE-2025-6543, is linked to denial-of-service attacks. Immediate patching and monitoring are recommended.

Threat actors are exploiting the critical Citrix NetScaler Gateway vulnerability, CVE-2025-5777, which allows session token extraction and user impersonation, potentially leading to multi-factor authentication bypass and session takeovers. ReliaQuest reported that these intrusions may involve ransomware or nation-state actors. The vulnerability is linked to inadequate input validation and has been compared to the CitrixBleed bug (CVE-2023-4966). Citrix has remediated the issue while acknowledging active exploitation of another zero-day vulnerability, CVE-2025-6543.

Citrix disclosed a critical-severity vulnerability, tracked as CVE-2025-5777, in NetScaler ADC and Gateway instances, with a severity score of 9.3/10. This "CitrixBleed 2" flaw allows attackers to hijack user sessions due to insufficient input validation, affecting versions 14.1 and prior to 47.46, and 13.1 and prior to 59.19. Citrix urges immediate patching. Additionally, two other vulnerabilities were addressed: a high-severity access control issue (8.7) and a memory overflow vulnerability (9.2, CVE-2025-6543).

Almost 1,289 Citrix NetScaler ADC and Gateway servers are vulnerable to CVE-2025-5777, known as "Citrix Bleed 2," and 2,100 instances are at risk from CVE-2025-6543. These vulnerabilities, primarily affecting servers in the U.S. and Germany, can lead to authentication data compromise and session takeovers. Organizations are advised to upgrade their servers immediately and terminate active sessions using specific commands to mitigate risks.

Researchers from SafetyDetectives found a post on a web forum offering a database allegedly containing records of 61 million Verizon customers. The 3.1 GB file, dated 2025, appears legitimate but cannot be confirmed as Verizon's. The data includes names, genders, birthdates, addresses, phone numbers, and tax IDs. If authentic, this exposure could lead to risks such as social engineering attacks, phishing, and identity theft for affected individuals.

A post claims to offer data from approximately 61 million Verizon USA users for sale, including sensitive information such as names, dates of birth, tax IDs, and contact details. Security researchers noted the data's authenticity but could not confirm its origin. Verizon stated the data is old and not affiliated with its customers. Users are advised to change passwords, enable two-factor authentication, avoid suspicious links, and consider identity theft protection services.

Ahold Delhaize reported a cyberattack in November affecting over 2.2 million individuals, with stolen data including Social Security numbers, financial information, and health records. The attack, attributed to the INC ransomware gang, began on November 5, disrupting online grocery orders. Ahold Delhaize is offering two years of credit monitoring to victims. The company operates major brands like Food Lion and Stop & Shop, and reported over $24 billion in net sales in 2023.

In November 2024, Ahold Delhaize suffered a cyberattack impacting over 2.2 million individuals, with data stolen including sensitive personally identifiable information (PII) such as names, addresses, emails, phone numbers, dates of birth, and bank account details. The group INC Ransom claimed responsibility, leaking documents in April 2025. Ahold Delhaize is providing 24 months of free credit monitoring and identity theft protection through Experian for those affected.

Ahold Delhaize reported that a November cyberattack resulted in the theft of information from over 2.24 million individuals, attributed to the INC Ransom ransomware group. The compromised data includes names, birthdates, contact details, Social Security numbers, financial account information, health details, and employment-related data. The company is working with cybersecurity experts to investigate and secure affected systems but has not disclosed specifics about the intrusion or potential customer data exposure.

Ahold Delhaize USA reported a cyberattack in late 2024 that potentially exposed personal data of over 2 million individuals, including Social Security numbers and health records. The breach, affecting current and former employees and their dependents, occurred on November 5 and 6. The company offered two years of credit monitoring but did not propose further remedies. The threat group Inc Ransom claimed responsibility. The attack also disrupted e-commerce services across its U.S. supermarket banners.

On May 27, scanning of Progress MOVEit Transfer systems surged, with over 100 unique IPs detected, rising to 319 the next day, according to GreyNoise. This marked a significant increase from fewer than 10 IPs daily. Exploitation attempts related to CVE-2023-34362 and CVE-2023-36934 were noted on June 12. Experts emphasize the importance of patching outdated software and monitoring scanning activity as potential early warnings for security teams to bolster defenses against opportunistic attacks.

Security researchers have reported a significant increase in IP scans targeting Progress' MOVEit Secure Managed File Transfer software, indicating a potential new vulnerability. Following a major flaw discovered in 2023 that was exploited by the Cl0p ransomware group, scanning activity surged from fewer than 10 IPs daily to over 300. In the last 90 days, over 600 unique IP addresses have been linked to this campaign, primarily from the US, suggesting ongoing interest from threat actors in exploiting MOVEit.

As of May 27, 2025, scanning activity targeting MOVEit Transfer systems surged, with over 300 unique IPs observed. This increase suggests potential threat activity, though it may not indicate imminent exploitation. On June 12, 2025, confirmed exploitation attempts were noted involving CVE-2023-34362 and CVE-2023-36934, emphasizing the need for timely software updates. Security teams are advised to implement zero-trust architectures, manage privileged access, and maintain accurate Software Bills of Materials (SBOMs) to mitigate risks.

Hawaiian Airlines experienced a cybersecurity event that disrupted some IT systems on Thursday, but flight schedules remain unchanged. The airline is working with law enforcement and experts for remediation but has not disclosed details about the affected systems or potential passenger data exposure. The FAA stated there was no impact on safety, and operations continue normally. This incident follows a recent cyberattack on WestJet Airlines.

Hawaiian Airlines confirmed that it is operating its full flight schedule safely following a cyberattack that impacted some IT systems, first reported on Thursday. The airline's website displayed alerts about the incident, which also affected Alaska Airlines, its parent company. Federal authorities are investigating, and the FAA is assisting to ensure flight safety. Hawaiian Airlines operates 150 daily flights and reported $869 million in revenue in its last independent quarter.

Hawaiian Airlines reported a cybersecurity incident affecting its IT systems, discovered on June 23 and disclosed on June 27. Flights continue to operate normally. The airline has engaged authorities and experts for investigation and remediation. There is no confirmation of stolen customer or employee data or ransomware deployment. The FAA stated there is no safety impact. This incident follows a similar event at WestJet, which also faced disruptions due to a cybersecurity breach.

Hackers known as "Scattered Spider" have shifted their focus to the aviation and transportation sectors after previously targeting retail and insurance industries. Recent attacks include a June 12 cyberattack on WestJet, disrupting services due to compromised data centers and Microsoft Cloud access via a self-service password reset. Hawaiian Airlines also reported a cyberattack. Experts recommend tightening identity verification processes and securing help desk operations to mitigate risks from these sophisticated social engineering attacks.

Scattered Spider, a cybercriminal group, has shifted its focus to the aviation industry, targeting Hawaiian Airlines in a cybersecurity incident detected on June 23. The airline reported IT system disruptions but maintained flight operations. Incident responders attribute the attack to Scattered Spider, which has also targeted WestJet recently. Experts recommend heightened vigilance against social engineering attacks and suspicious MFA reset requests as the group employs consistent tactics across sectors.

Cybersecurity firms Mandiant and Palo Alto Networks report that the hacking group Scattered Spider is now targeting airlines and the transportation sector. Hawaiian Airlines is securing its systems after a recent cyberattack, while WestJet reported an ongoing cyberattack linked to Scattered Spider on June 13. The group, known for deception tactics and social engineering, has previously attacked the U.K. retail sector, insurance industry, hotels, casinos, and tech companies.

Hackers from the Scattered Spider group have shifted their focus to the aviation sector, targeting airlines after previously attacking retail and insurance industries. Mandiant and Palo Alto Networks have noted incidents resembling Scattered Spider's tactics, emphasizing the need for organizations to enhance phishing-resistant multifactor authentication. Hawaiian Airlines recently reported a cyberattack disrupting IT systems but has not attributed it to any group. Experts recommend auditing remote management tools for potential abuse.

The FBI warns that the cybercrime group Scattered Spider is expanding its attacks on the airline sector, utilizing social engineering to impersonate employees and bypass multi-factor authentication (MFA). The group targets third-party IT providers, leading to data theft and ransomware. Experts recommend tightening help desk identity verification processes. Scattered Spider's sophisticated tactics include extensive reconnaissance and targeting C-Suite accounts, demonstrating a critical vulnerability in identity verification workflows.

The FBI and cybersecurity firms warn that the hacking group Scattered Spider is now targeting airlines and the transportation sector. Recent attacks have affected Hawaiian Airlines and WestJet, with the latter's incident linked to Scattered Spider. This group employs social engineering and phishing tactics to steal sensitive data and may target large corporations and their IT providers. The warning follows previous attacks on the U.K. retail and insurance sectors.

Individuals from the hacker group Scattered Spider are targeting the aviation sector, following breaches at WestJet and Hawaiian Airlines. Google, Palo Alto Networks, and the FBI have issued warnings about the group's tactics, which include social engineering to bypass MFA and deploy ransomware. The group has a history of shifting focus between sectors, and experts recommend enhancing identity verification and MFA to mitigate risks. Recent attacks have caused significant operational disruptions for victims.

Hawaiian Airlines reported a cybersecurity incident on June 23, 2025, affecting certain IT systems, but confirmed that flights were not impacted. The airline filed an 8-K form with the SEC and engaged external cybersecurity experts for investigation. Speculation suggests the attack may be linked to the hacking group Scattered Spider. Security experts recommend organizations enhance identity verification and implement phishing-resistant MFA to mitigate risks. The financial impact of the incident remains undetermined.

The FBI has issued a warning regarding the Scattered Spider hacking group, which is now targeting US airlines after previously attacking UK retailers. Two incidents were reported in June 2025: Hawaiian Airlines on June 26 and WestJet on June 13. The group employs phishing and social engineering tactics to access networks, steal data, and deploy ransomware. The FBI advises that all entities in the airline ecosystem, including vendors, may be at risk and encourages early reporting of incidents.

Scattered Spider has shifted its focus to the aviation sector, following previous attacks on the insurance industry. Mandiant's CTO, Charles Carmakal, reported multiple incidents in airlines resembling Scattered Spider's tactics. Recommendations include tightening help desk identity verification and enhancing MFA solutions. Recent cybersecurity incidents were reported by Hawaiian Airlines and WestJet, with Aflac confirming potential data compromise due to social engineering. Experts warn of sophisticated social engineering attacks targeting the aviation industry.

Scattered Spider has shifted its focus to the aviation sector, with multiple airlines reporting data breaches. Google Mandiant and the FBI linked these incidents to the cyber gang, which previously targeted UK retailers. Notable incidents include WestJet Airlines on June 13 and Hawaiian Airlines on June 26, though flight operations remained unaffected. Both agencies warned organizations to be vigilant against social engineering tactics, particularly concerning IT help desks and third-party vendors.

United Natural Foods (UNFI) has restored core systems following a cyberattack on June 5, which disrupted customer orders and operations. The incident is expected to materially impact its fourth fiscal quarter of 2025 net income and adjusted EBITDA due to reduced sales and increased operational costs. UNFI has hired external cybersecurity experts and notified law enforcement but does not anticipate notifying consumers, as no personal information was compromised. The company holds adequate cybersecurity insurance for the incident.

United Natural Foods (UNFI) experienced a cyberattack on June 5, impacting its fulfillment and distribution systems. Although core systems for electronic ordering and invoicing have been restored, the incident is expected to materially affect the company's net income for the fourth fiscal quarter of 2025. UNFI reported reduced sales and increased operational costs due to the attack, which has not been claimed by any cybercriminal group. The company has cyber insurance to cover some costs.

United Natural Foods, Inc. (UNFI) reported a cyberattack's "material impact" on its Q4 fiscal 2025 financials, following the recovery of core systems. The attack led to lower sales and increased operational costs, alongside ongoing incident investigation expenses. UNFI holds cybersecurity insurance expected to cover the incident, with claims extending into fiscal 2026. The nature of the attack remains undisclosed, but consumer data was not affected. This follows a related investigation into a Clop ransomware attack at Sam's Club.

United Natural Foods, Inc. disclosed a cyberattack that will have a "material impact" on its financials for Q4 of fiscal year 2025. The breach affected nearly 40,000 individuals. The company has successfully recovered its core systems, including electronic ordering and invoice systems, following the incident.

Microsoft has launched the Windows Resiliency Initiative (WRI) to enhance the reliability and security of the Windows platform following the 2024 CrowdStrike-related outage. Key changes include moving antivirus tools out of the kernel to user mode for better recovery and reduced disruption. Collaborating with security vendors like Bitdefender and CrowdStrike, Microsoft aims to modernize security architecture. Upcoming Windows 11 updates will introduce new recovery tools and features to minimize operational interruptions.

Microsoft's recent security updates address issues stemming from a faulty CrowdStrike software update that caused significant IT outages. Key changes include restricting third-party antivirus access to the Windows kernel, requiring extensive testing for security updates, and introducing a new endpoint security platform. Additionally, a Windows update will enhance crash recovery, replacing the "Blue Screen of Death" with a simplified interface and reducing downtime. These measures aim to improve system reliability and resilience against future outages.

On July 18, 2024, a faulty CrowdStrike Falcon update caused an outage affecting 8.5 million Windows machines. In response, Microsoft announced plans to enhance resiliency, including allowing cybersecurity solutions to run outside the kernel. The new MVI 3.0 program will enforce rigorous testing and safe deployment practices for vendors. Upcoming Windows 11 24H2 features include a simplified crash screen and quick machine recovery to expedite issue resolution. Microsoft also introduced Windows 365 Reserve for business continuity.

Nicholas Michael Kloster pleaded guilty to hacking multiple organizations to promote his cybersecurity services. He misused his employer's credit card to buy a thumb drive for hacking and accessed a gym's surveillance system, altering his membership details before revealing the breach. Kloster later compromised a non-profit by using a boot disk for credential changes and VPN installation. He faces up to five years in prison, three years of supervised release, and a $250,000 fine.

Nicholas Michael Kloster, a 32-year-old from Kansas City, pleaded guilty in 2024 to hacking multiple organizations, including a health club and a nonprofit, to promote his cybersecurity services. He accessed systems, manipulated data, and stole sensitive information, including credit card data from a former employer. Kloster faces up to five years in prison, a $250,000 fine, and restitution, with a jury to determine his exact punishment. The FBI is involved in the case.

The article discusses various cybercriminals who were caught due to operational security (opsec) oversights. Notable cases include Kai West, accused of causing $25 million in damages and tracked via Bitcoin transactions; Nicholas Kloster, who used his employer's email for illegal activities; and Hector Monsegur, who failed to use Tor during a sensitive chat. Other examples include Zachary Shames, linked to spyware distribution, and Alexandre Cazes, whose email led to his arrest. Ross Ulbricht's basic opsec mistakes also contributed to his capture.

Phishing gangs are exploiting Microsoft's Direct Send feature in Exchange Online to send malicious emails to Microsoft 365 tenants. This feature allows devices within a network to send emails without authentication checks, enabling attackers to deliver phishing emails directly to employees. Varonis reports that this campaign has targeted over 70 organizations since May, primarily in the US. Microsoft has introduced a "Reject Direct Send" setting to help mitigate this risk.

Over 70 organizations, primarily in the U.S., have faced a phishing campaign exploiting Microsoft 365's Direct Send feature. This stealthy intrusion method has been active since last month, impacting various business sectors. The report highlights the increasing prevalence of such attacks, emphasizing the need for enhanced security measures to protect against these types of phishing threats.

CISA has confirmed that a critical vulnerability (CVE-2024-54085) in AMI's MegaRAC BMC software is actively exploited, allowing remote unauthenticated attackers to hijack unpatched servers. This flaw enables attackers to deploy malware, cause physical damage, and create indefinite reboot loops. Discovered by Eclypsium, the vulnerability affects multiple vendors, with federal agencies required to patch by July 16, 2024. All network defenders are urged to prioritize patching to mitigate risks.

Hackers are exploiting a critical vulnerability (CVE-2024-54085) in AMI MegaRAC firmware, rated 10/10 in severity, allowing complete control over server fleets. This vulnerability enables authentication bypass via a simple HTTP request to a vulnerable baseboard management controller (BMC). Discovered by Eclypsium and disclosed in March, it permits remote attackers to create admin accounts without authentication. Successful exploitation of one BMC can lead to further internal network compromises.

The U.S. has charged British hacker Kai West, known as “IntelBroker,” with breaching over 40 companies, causing $25 million in damages. Arrested in France, he awaits extradition and faces up to 20 years in prison. West allegedly sold stolen sensitive data, including healthcare records, on BreachForums. Investigators linked him to the alias through cryptocurrency transactions and IP address matches. He is connected to high-profile breaches affecting U.S. state agencies and healthcare organizations.

Kai West, known as “IntelBroker,” was arrested in France and faces extradition to the U.S. for stealing data from over 40 organizations, causing over $25 million in damages. Charged with conspiracy, computer intrusions, and wire fraud, he allegedly sold stolen data, including sensitive customer and patient information, from January 2023 to February 2025. His activities included 158 posts on Forum-1, with specific asking prices totaling nearly $2.5 million for the stolen data.

U.S. and French authorities have arrested five hackers linked to BreachForums, including British national Kai West, known as IntelBroker. West faces charges for a hacking scheme causing over $25 million in damages, targeting over 40 victims, including a healthcare provider whose sensitive patient data he attempted to sell. The arrests aim to dismantle the forum's administration, which was previously shut down in 2023 and 2024. West is charged with multiple counts, including conspiracy and wire fraud.

The FBI has identified Kai West, a 25-year-old British national, as the notorious data thief IntelBroker, who allegedly hacked over 40 victims globally, causing at least $25 million in damages. Charged with four counts, West's activities included stealing and selling sensitive data, including healthcare information. Arrested in France in February 2025, he was linked to BreachForums and traced through bitcoin wallet records. The US seeks his extradition, with charges carrying a maximum 20-year sentence.

Kai West, a British man, has been charged by US authorities for his alleged involvement in the hacking group 'IntelBroker,' which has targeted around 40 organizations globally, causing over $25 million in damages. The group has attacked firms like AMD, Apple, and CISCO, selling stolen data on the dark web. West faces up to 20 years in prison for wire fraud and computer intrusion conspiracy. He was arrested in France in early 2025, and the US is seeking his extradition.

A British hacker, Kai West, known as IntelBroker, faces extradition to the U.S. on four counts related to a hacking operation causing $25 million in damages to over 40 victims, including telecom and healthcare sectors. Arrested in February 2023, he is accused of demanding ransom after data breaches, including a theft of Cisco data. West's online activity on the Forum-1 cybercrime board linked him to the crimes. If convicted, he could face up to 20 years in prison.

Cisco has released updates for two critical remote code execution vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), identified as CVE-2025-20281 and CVE-2025-20282, both with a CVSS score of 10.0. CVE-2025-20281 allows unauthenticated attackers to execute arbitrary code, while CVE-2025-20282 permits file uploads for execution. No workarounds exist; users should update to ISE 3.3 Patch 6 or 3.4 Patch 2. No exploitation has been reported.

Cisco has issued a warning about two critical unauthenticated remote code execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20281 and CVE-2025-20282, both rated CVSS 10.0. The flaws allow remote attackers to execute arbitrary commands and upload files with root privileges. Users should upgrade to ISE 3.3 Patch 6 or 3.4 Patch 2. Additionally, a medium-severity authentication bypass flaw, CVE-2025-20264, affects all ISE versions up to 3.4.

Cisco has released patches for two critical vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20281 (9.8/10) and CVE-2025-20282 (10/10). Both allow unauthenticated remote code execution as root. CVE-2025-20281 affects versions 3.3 and 3.4, while CVE-2025-20282 affects only version 3.4. No known exploits exist yet. Updates should be applied immediately, with specific patches recommended for each vulnerability.

Rapid7 research has identified eight serious vulnerabilities affecting 689 Brother printer models, including devices from Fujifilm, Ricoh, and Toshiba due to supply chain links. The most critical vulnerability, CVE-2024-51978, has a CVSS score of 9.8 and allows attackers to exploit default passwords for device takeover. Remediation requires redesigning manufacturing processes. Other vulnerabilities include information retrieval, buffer overflow, and device crashes. Mitigations have been released by Rapid7 and Brother.

A vulnerability affecting 689 Brother printer models and others from Fujifilm, Toshiba, and Konica Minolta allows remote attackers to generate default admin passwords (CVE-2024-51978). This flaw, part of eight vulnerabilities identified by Rapid7, cannot be fixed via firmware for existing devices. Attackers can exploit this to gain control, execute code, or access sensitive information. Users are advised to change default passwords and apply firmware updates. Security bulletins are available for affected manufacturers.

Research from Rapid7 identifies eight new vulnerabilities affecting 748 multifunction printer models from five vendors, including Brother, FUJIFILM, Ricoh, Konica Minolta, and Toshiba. The most critical is an authentication bypass flaw (CVE-2024-51978) in Brother devices, allowing attackers to leak serial numbers and generate admin passwords. Experts emphasize the need for organizations to secure remote work environments, manage IoT devices, and prioritize patching to mitigate risks, especially in sensitive sectors like healthcare.

Serious security flaws have been identified in hundreds of Brother printer models, allowing remote access for attackers using default passwords. Eight vulnerabilities were found, including CVE-2024-51978, rated 9.8 “Critical,” enabling password generation if the serial number is known. Seven vulnerabilities can be patched, but CVE-2024-51978 cannot be fixed via firmware and will require changes in manufacturing. Users are advised to change default admin passwords to enhance security.

A report by SecurityScorecard highlights that over 70% of organizations experienced at least one significant third-party cyber incident in the past year, with 5% facing ten or more. Despite heightened concern among 88% of cybersecurity leaders about supply chain risks, fewer than 50% monitor cybersecurity across their supply chains. The report emphasizes the need for active defense strategies, including integrating threat intelligence and creating incident response workflows to address vulnerabilities effectively.

A SecurityScorecard report reveals that most global businesses lack adequate monitoring of their external suppliers' cybersecurity, despite concerns from security leaders. Seventy-nine percent of organizations report that less than half of their third-party suppliers have implemented cybersecurity programs. Only 38% have vendor onboarding processes, and 26% conduct joint tabletop exercises. SecurityScorecard emphasizes the need for a holistic cybersecurity strategy to enhance resilience against supply chain attacks.

A vulnerability in Microsoft Entra ID, known as nOAuth, could expose 9% of SaaS applications to attacks, as reported by Semperis. This flaw allows threat actors to alter mail attributes of Entra ID accounts, enabling them to hijack SaaS app accounts and potentially access Microsoft 365 resources. Mitigation requires proper authentication implementation by developers. This follows a Trend Micro report on the exploitation of misconfigured Kubernetes containers affecting AWS credentials.

A vulnerability known as n0Auth in SaaS platforms allows attackers to take over accounts using only a target's email address and access to a Microsoft Entra tenant. Semperis found that approximately 9% of tested SaaS applications are vulnerable. The flaw enables spoofing of email addresses during authentication, posing risks of data exfiltration, especially in applications integrated with Microsoft 365. Recommendations include implementing multi-factor authentication and not relying solely on email for user identification.

A severe vulnerability in Microsoft's Entra ID, named nOAuth, allows full account takeover affecting approximately 10% of over 150,000 SaaS applications. This cross-tenant authentication flaw enables attackers to bypass multi-factor authentication and zero-trust security, posing a significant risk to user data. Despite being disclosed in 2023, many apps remain vulnerable. Semperis urges SaaS vendors to patch their applications urgently to mitigate this persistent threat.

French authorities arrested several individuals suspected of operating BreachForums, a major online marketplace for stolen data. Four suspects, known as ShinyHunters, Hollow, Noct, and Depressed, were detained by the Cybercrime Brigade. Another suspect, IntelBroker, was previously arrested. The suspects are accused of high-profile data breaches affecting companies like Boulanger and SFR. BreachForums had previously been disrupted in 2023 following the arrest of its founder, Conor Fitzpatrick.

French cybercrime police arrested four men linked to BreachForums, bringing the total to five suspects, including IntelBroker, previously captured in February. BreachForums, active from 2022 until April 2024, was notorious for stolen data sales and criminal recruitment. The arrested individuals, in their twenties, are associated with attacks on Boulanger, France Travail, and the French football federation. Notably, the alias ShinyHunters is linked to high-profile breaches and was previously run by Sebastien Raoult, now imprisoned in the US.

French law enforcement has arrested four alleged leaders of the cybercrime marketplace BreachForums, which has been attempting a comeback since its compromise in April. The accused, including hackers "ShinyHunters," "Hollow," "Depressed," and "Noct," are linked to attacks on various French organizations. Additionally, U.S. authorities have indicted Kai West, known as IntelBroker, for cyber activities causing over $25 million in losses, with potential extradition and a 50-year prison sentence.

On June 25, 2025, French authorities arrested four members of the ShinyHunters cybercriminal group linked to BreachForums. This follows the February arrest of Kai West (IntelBroker), a key figure in the forum. ShinyHunters has compromised various industries since 2020, selling stolen data on BreachForums. The forum has faced multiple takedowns and relaunches, with its latest version (v4) appearing on June 4, 2025, before being put up for sale on June 9. The forum remains offline as law enforcement intensifies actions against cybercrime.

A ransomware attack by the group Qilin targeted Synnovis, a London-based pathology service, in 2024, leading to severe disruptions in blood-testing services and contributing to a patient's death. The NHS confirmed that around 800 operations and 700 outpatient appointments were canceled. Personal information, including names and blood test data, was compromised. Qilin demanded a $50 million ransom, which Synnovis reportedly did not pay, resulting in the data being published online.

The Qilin ransomware attack on NHS supplier Synnovis last year contributed to a patient's death, as confirmed by King's College Hospital NHS Trust. The attack caused delays in blood test results, impacting patient care. A review identified multiple factors leading to the death. The South East London Integrated Care Board reported 170 patients experienced harm, mostly categorized as "low harm." Synnovis CEO expressed sorrow over the incident, highlighting the ongoing threat of ransomware in healthcare.

Glasgow City Council reported a cyber incident disrupting online services and potentially involving customer data theft. Discovered by IT supplier CGI, the incident affected servers managed by a third-party. The council has taken these servers offline and is presuming that customer data may have been exfiltrated. Residents are advised to be cautious of unsolicited contacts claiming to be from the council and to report suspicious interactions to Police Scotland.

A cyberattack on Glasgow City Council began on June 19, 2025, disrupting numerous online services due to a supply chain issue with a third-party contractor. The council is investigating with Police Scotland and the National Cyber Security Centre. While it cannot confirm data exfiltration, it is treating the situation as if data may have been stolen. Residents are advised to be cautious of phishing attempts and report cybercrime. No financial systems were compromised, and email communication remains secure.

A new North Korean 'Contagious Interview' campaign targets job seekers using 35 malicious npm packages, infecting devices with the BeaverTail info-stealer and InvisibleFerret backdoor. Disguised as legitimate coding assignments, these packages have been downloaded over 4,000 times. The attack involves a multi-stage infection chain, leading to data theft and persistent access. Developers are advised to exercise caution with remote job offers and run unknown code in secure environments.

North Korean state-sponsored threat actors have uploaded 35 malicious NPM packages as part of the Contagious Interview campaign, amassing over 4,000 downloads. These packages utilized the HexEval loader to gather host details and deploy BeaverTeal information-stealing malware, which executes the InvisibleFerret backdoor for data exfiltration and remote control. Most malicious packages have been removed from the NPM repository. This campaign showcases advanced techniques in supply chain attacks, combining malware staging and social engineering.

Cybersecurity researchers reported two patched vulnerabilities in SAP GUI (CVE-2025-0055 and CVE-2025-0056, CVSS 6.0) that could expose sensitive data due to insecure storage of user input history. SAP has advised disabling this feature and deleting affected files. Additionally, Citrix patched a critical flaw (CVE-2025-5777, CVSS 9.3) in NetScaler, allowing attackers to steal session tokens via malformed requests. Users are urged to upgrade to supported versions and terminate active sessions post-update.

A critical vulnerability in Citrix Netscaler, tracked as CVE-2025-5777, poses a severe risk with a score of 9.3 due to insufficient input validation, potentially leading to memory overhead when configured as Gateway. Security experts warn of possible exploitation similar to the CitrixBleed crisis in 2023. Citrix advises immediate upgrades for affected versions 12.1 and 13.0, which are now end-of-life. The Cybersecurity and Infrastructure Security Agency recommends using memory-safe programming languages to mitigate such vulnerabilities.

A new vulnerability in Citrix NetScaler ADC and Gateway, named "CitrixBleed 2," has been identified, affecting versions prior to 14.1-43.56 and 13.1-58.32. The critical flaw, CVE-2025-5777, allows unauthenticated attackers to hijack session tokens and credentials. A second flaw, CVE-2025-5349, involves improper access control. Citrix recommends updating to the latest versions and terminating active sessions post-update to mitigate risks. Over 56,500 exposed endpoints may be at risk.

Citrix warns of a critical vulnerability in NetScaler appliances, tracked as CVE-2025-6543, actively exploited in denial of service (DoS) attacks. This flaw affects NetScaler ADC and Gateway versions prior to specified updates and can be triggered by unauthenticated remote requests. Citrix has released patches for affected versions. Administrators are urged to apply these patches promptly and monitor for unusual user sessions and abnormal behavior. Another critical flaw, CVE-2025-5777, also poses risks.

Citrix has issued a warning regarding exploitation of a critical vulnerability, CVE-2025-6543, affecting its NetScaler ADC and Gateway appliances, with a severity score of 9.2. Exploits have been observed on unmitigated devices. Citrix advised customers to update their software. Two additional vulnerabilities, CVE-2025-5349 and CVE-2025-5777, may allow attackers to read sensitive data and bypass multi-factor authentication. The U.K. NHS and cybersecurity experts have raised alarms, likening these issues to the previously exploited Citrix Bleed vulnerability.

Citrix disclosed a zero-day vulnerability (CVE-2025-6543) affecting multiple versions of its NetScaler products, with a CVSS score of 9.2. This memory overflow defect allows for unintended control flow and denial of service, but exploitation requires specific configurations. Citrix's announcement follows previous vulnerabilities (CVE-2025-5777 and CVE-2025-5349) in the same products. Concerns have been raised regarding the timing and nature of the vulnerability, with skepticism about its classification as a denial of service.

Citrix has issued an emergency patch for a critical zero-day vulnerability, CVE-2025-6543, affecting NetScaler ADC and Gateway products, with a severity score of 9.2. This memory overflow flaw can lead to unintended control flow and denial of service. It impacts versions 14.1, 13.1, and end-of-life versions 12.1 and 13.0. Exploits have been observed, raising concerns about potential backdoors. Organizations are urged to patch immediately and terminate active sessions to mitigate risks from both CVE-2025-6543 and the earlier CVE-2025-5777.

Citrix has patched two critical vulnerabilities affecting its NetScaler ADC and Gateway. The first, CVE-2025-5777, disclosed on June 17, has a CVSS score of 9.3 and could leak sensitive information like session tokens, potentially allowing account hijacking. The second, CVE-2025-6543, disclosed later, has a CVSS score of 9.2 and has already been exploited, leading to denial of service. Organizations are advised to apply patches immediately and terminate active sessions post-update to mitigate risks.

SonicWall warns of a trojanized version of its NetExtender SSL VPN client, which is being used to steal VPN credentials. The malicious installer mimics NetExtender v10.3.2.27 and is hosted on a spoofed website. Although not signed by SonicWall, it is signed by "CITYLIGHT MEDIA PRIVATE LIMITED." The trojanized application exfiltrates VPN configuration and account credentials to a remote server. SonicWall advises users to download software only from official portals and to scan files with updated antivirus software.

Unknown threat actors are distributing a trojanized version of SonicWall's SSL VPN NetExtender to steal user credentials. The malware, named SilentRoute, impersonates version 10.3.2.27 and is delivered via a fake website. It exfiltrates VPN configuration details to a remote server. Additionally, a threat cluster called EvilConwi abuses ConnectWise to embed malicious code without invalidating digital signatures, primarily using phishing emails and fake AI tool sites for initial access.

SonicWall warns of malicious VPN software impersonating its NetExtender client, distributed via fake websites. The trojanized application steals user credentials and VPN configurations, posing risks to businesses. The fake client is signed by "CITYLIGHT MEDIA PRIVATE LIMITED" and uses SEO poisoning to appear above legitimate sites. SonicWall advises users to download software only from official sources. Their and Microsoft’s tools can detect the malware, but third-party software may not yet be updated.

Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware through a technique called authenticode stuffing. This method modifies the certificate table while preserving the digital signature. Malicious binaries were found linked to phishing attacks, with infected files masquerading as legitimate software. ConnectWise has since revoked the compromised certificate. Additionally, trojanized versions of the SonicWall NetExtender VPN client have been reported, designed to capture sensitive credentials.

Malicious actors are exploiting ConnectWise ScreenConnect installers in an Authenticode stuffing attack, creating signed remote access malware. The attacks involve phishing via malicious PDFs and Canva pages linked to a Cloudflare R2-hosted trojanized ScreenConnect client. ConnectWise has invalidated the certificate used for these binaries. Organizations are advised to install software only from legitimate sources to mitigate risks associated with this malware.

Microsoft is extending Windows 10 Extended Security Updates (ESU) for an additional year, allowing users to enroll by paying $30, syncing settings to the cloud, or redeeming 1,000 Microsoft Rewards points. This extension runs from October 15, 2025, to October 13, 2026, as support officially ends on October 14, 2025. The enrollment wizard will be available in July for Windows 10 users. ESUs will not include new features or non-security updates, and a Microsoft account is required for certain options.

Microsoft is offering free security updates for Windows 10 until October 13, 2026, to users not enrolled in the paid Extended Security Program. Users can access these updates by opting for Windows Backup or using 1000 Microsoft Rewards points. While individual consumers can receive updates for free, businesses and educational institutions will need to pay for updates for up to three years. This initiative aims to facilitate the transition from Windows 10 to Windows 11, which is seeing increasing adoption.

A new FileFix attack, developed by cybersecurity researcher mr. d0x, utilizes Windows File Explorer to execute malicious commands through social engineering, similar to the ClickFix method. This attack tricks users into pasting commands into File Explorer, which can execute OS commands. It bypasses antivirus software by leveraging user actions. To stay safe, avoid interacting with suspicious pop-ups and educate others about these tactics to prevent falling victim to such scams.

A new social engineering attack called FileFix has been developed, targeting Windows users. This variant of the ClickFix attack uses a fake notification to trick users into pasting a command into the File Explorer address bar, potentially allowing cybercriminals to execute commands on the victim's system. While Microsoft Defender SmartScreen and Google Safebrowsing may provide warnings, users are advised to be cautious of unexpected pop-ups and to avoid untrusted windows.

A 517% increase in ClickFix attacks, utilizing fake CAPTCHA verifications, has been reported by ESET. This method leads to various threats, including ransomware and infostealers, with high detection rates in Japan, Peru, Poland, Spain, and Slovakia. A new technique, FileFix, allows attackers to trick users into executing malicious PowerShell commands via Windows File Explorer. Additionally, phishing campaigns using SharePoint links are becoming prevalent, as they evade detection by security software.

ClickFix malware has surged by 517% in the last six months, becoming the second most abused attack vector after phishing. It tricks users into executing Powershell commands under the guise of fixing a fake error, leading to the installation of infostealers like Lumma Stealer and VidarStealer. This method often bypasses antivirus protections. ESET's H2 2025 Threat Report also notes that SnakeStealer has surpassed Agent Tesla as the most detected infostealer, targeting numerous US and EU businesses.

The sixth annual Sophos State of Ransomware report reveals that exploited vulnerabilities are the most common cause of ransomware incidents, accounting for 32% of attacks. Compromised credentials and email phishing are also significant vectors. Recovery rates for encrypted data are high at 97%, but backup recovery is at a six-year low. Ransom payments decreased, with 49% of victims paying ransoms. The average recovery cost dropped by 44% to $1.53 million, with faster recovery times reported.

Nearly half of firms targeted by ransomware in 2024 paid the ransom, with median payments dropping 50% to $1 million. Companies negotiated lower ransoms in 71% of cases. Recovery costs fell to $1.53 million, with 53% fully recovering within a week. However, backup usage declined to 54%, and 40% of victims cited exploited vulnerabilities as the main attack vector. Recommendations include improving resource allocation, visibility, and implementing proactive security measures like multifactor authentication.

A Sophos survey reveals that nearly half of organizations (49%) paid ransomware demands, averaging 85% of the requested amount, with median demands dropping from $2 million in 2024 to $1.3 million in 2025. Despite a slight decrease in encryption rates (50% of attacks), recovery remains high (97%). Common attack vectors include exploited vulnerabilities (32%) and compromised credentials (30%). Operational gaps, such as lack of expertise (40%), hinder defenses, prompting firms to adopt Managed Detection and Response services for better protection.

Cybercriminals are exploiting jailbroken AI tools like Mistral's Mixtral and xAI's Grok to create advanced malware, including variants of 'WormGPT'. These malicious generative AI tools can generate phishing emails and hacking tutorials. Researchers from Cato CTRL noted that the emergence of WormGPT has led to the development of other uncensored LLMs, such as FraudGPT, indicating a growing market for these tools in cybercrime. Threat actors are also recruiting AI experts to develop custom LLMs for specific attacks.

Cybercriminals are increasingly leveraging large language models (LLMs) for malicious activities, utilizing uncensored or custom-built models to bypass safety features. Tools like FraudGPT and WhiteRabbitNeo are marketed on the dark web, enabling users to create phishing emails, malware, and hacking tools. Jailbreaking techniques are employed to manipulate legitimate LLMs into producing harmful content. Additionally, LLMs themselves are targets for attacks, with risks of backdoored models and data poisoning in Retrieval Augmented Generation systems.

Cybercriminals are jailbreaking AI models like Grok and Mixtral to create tools for phishing and hacking, according to Cato Networks. Modified versions, named WormGPT and FraudGPT, are sold on BreachForums for up to $5,000. Attackers manipulate AI behavior with crafted prompts, bypassing safety measures. The rise of open-source models complicates detection and takedown efforts. Experts warn of widespread uncensored LLMs and a growing trend of "jailbreak-as-a-service," raising concerns over AI misuse.

The Russian state-sponsored group APT28 is using Signal chats to target Ukrainian government entities with two new malware families: BeardShell and SlimAgent. Discovered by CERT-UA in March 2024, the attacks involved delivering malicious documents via Signal. BeardShell downloads PowerShell scripts and communicates with a C2 server using Icedrive API, while SlimAgent captures and encrypts screenshots. CERT-UA advises monitoring interactions with app.koofr.net and api.icedrive.net.

APT28 has launched a cyber attack campaign in Ukraine using Signal to deliver BEARDSHELL and COVENANT malware. BEARDSHELL, written in C++, can execute PowerShell scripts and upload results via Icedrive API. The attack involves a macro-laced Word document that drops a DLL and a PNG file, allowing COVENANT to execute. CERT-UA warns of phishing emails exploiting vulnerabilities in Roundcube, targeting over 40 organizations with exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641.

A hacking group linked to Russian military intelligence is targeting Ukrainian state agencies with new malware delivered via the Signal app. The malware strains, BeardShell and SlimAgent, allow backdoor access and stealthy screenshot capture. Attributed to APT28, the attacks exploit social engineering tactics, using phishing emails with malicious Word documents. Signal's lack of antivirus integration aids evasion. Ukrainian officials report increased use of Signal for malware delivery against government personnel.

The U.S. House of Representatives has banned WhatsApp on government-issued devices due to security concerns. The House Chief Administrative Officer cited risks related to data protection and transparency, stating WhatsApp lacks stored data encryption. Staff are prohibited from using the app, with alternatives like Microsoft Teams, Wickr, Signal, and iMessage recommended. WhatsApp's parent company, Meta, disagrees with the assessment, asserting that their app provides strong end-to-end encryption.

The U.S. House of Representatives has banned WhatsApp on staff devices due to security concerns, citing risks related to data protection and lack of encryption. The Office of Cybersecurity labeled the app as high risk and recommended alternatives like Signal, iMessage, FaceTime, and Microsoft Teams. In January, Meta reported disrupting a hacking campaign targeting 90 WhatsApp users, linked to Israeli spyware maker Paragon Solutions, which has several government clients.

The US House's Chief Administrative Officer has banned WhatsApp on all government devices due to security concerns, citing a lack of data transparency and absence of stored data encryption. Staffers are instructed to remove the app. Meta disputes the ban, emphasizing WhatsApp's end-to-end encryption. Alternatives like Microsoft Teams, Wickr, Signal, iMessage, and FaceTime remain approved. This follows a similar ban by the Scottish government, which preferred enterprise messaging apps.

The U.S. House of Representatives has banned WhatsApp on government-issued devices due to security concerns regarding data encryption. The ban applies to all devices used by congressional staff, while personal use remains permitted outside sensitive areas. The Chief Administrative Officer classified WhatsApp as a "high-risk" platform and recommended alternatives like Microsoft Teams and Signal. WhatsApp disputed this characterization, emphasizing its end-to-end encryption as superior to many approved apps.

The U.S. House of Representatives has prohibited the use of WhatsApp on staffers' government-issued devices due to data security concerns, including inadequate user data protections and lack of stored data encryption. House Chief Administrative Officer Catherine Szpindor emphasized the importance of monitoring cybersecurity risks. WhatsApp opposed the directive, highlighting its default end-to-end encryption as superior to many approved apps.

The House Chief Administrative Officer has banned WhatsApp on official devices due to cybersecurity concerns, citing risks related to data protection and lack of encryption for backups. Meta disputes this, highlighting WhatsApp's end-to-end encryption and noting that the Senate allows its use. Cybersecurity experts speculate that the ban may relate to backup encryption issues or potential AI integration risks. The CAO emphasizes ongoing monitoring of cybersecurity risks and app approvals.

Hackers linked to the Chinese government exploited CVE-2023-20198, a critical vulnerability in Cisco's iOS XE, to breach a Canadian telecom provider. This vulnerability, rated 10 in severity, had a patch released 16 months prior. The Canadian Cyber Centre and the FBI identified the attackers as the state-sponsored group Salt Typhoon, which previously compromised US telecoms like Verizon and AT&T, potentially monitoring sensitive wiretap systems.

The Canadian government and FBI reported that a China-backed hacking group, Salt Typhoon, breached at least one unnamed Canadian telecommunications company in mid-February 2023, manipulating Cisco routers for stealthy traffic collection. The advisory indicates that Salt Typhoon's targeting extends beyond telecommunications and is part of a broader espionage campaign, with expectations of continued targeting of Canadian organizations over the next two years.

China-linked Salt Typhoon actors exploited a critical Cisco IOS XE vulnerability (CVE-2023-20198, CVSS 10.0) to breach a Canadian telecom in February 2025, accessing and modifying configuration files to set up a GRE tunnel for traffic collection. The U.S. FBI and Canadian Centre for Cyber Security warn that this targeting may extend beyond telecoms, allowing further breaches. Additionally, the U.K. NCSC reported malware families SHOE RACK and UMBRELLA STAND targeting Fortinet devices, with SHOE RACK enabling remote access.

Canadian telecom firms have experienced cyberattacks attributed to the Chinese threat actor Salt Typhoon. The hackers exploited Cisco flaw CVE-2023-20198 to access three network devices, allowing them to retrieve and modify configuration files to create a GRE tunnel for traffic collection. A patch for this vulnerability has been available since October 2023, highlighting a significant security oversight. The Canadian Centre for Cyber Security warns that PRC cyber actors will likely continue targeting Canadian organizations for espionage.

Brett Leatherman, head of the FBI’s Cyber Division, emphasized the ongoing cyber threat from China's Typhoon hacking groups, urging vigilance despite rising concerns over potential Iranian cyberattacks. He noted that China’s intrusions into U.S. critical infrastructure are significant and persistent. The Salt Typhoon group recently breached a Canadian telecom firm, with nine U.S. victims identified. Leatherman highlighted the long-term strategy of China in cyber exploitation, aiming to gather intelligence and erode U.S. strategic advantages.

Four members of the REvil ransomware gang were released by a Russian court after being found guilty of financial fraud and computer crimes targeting American victims. They had been in pretrial detention since early 2022. The court ordered the confiscation of luxury vehicles and cash. This follows previous sentences for other gang members in October 2024. The REvil group was involved in significant cyberattacks, including the 2021 Kaseya incident.

Four members of the REvil ransomware group, Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev, were released after serving time in a Russian penal colony for crimes including the creation of malicious software. They were sentenced to five years but were released early due to time served. Their arrests followed a US request in January 2022. Meanwhile, four other members remain incarcerated with sentences ranging from 4.5 to 6 years for various cybercrimes.

A Russian court sentenced members of the REvil ransomware gang to five years for payment card fraud but released them immediately due to time served. The defendants were found guilty of trafficking stolen payment data, primarily targeting U.S. citizens. The court ordered the seizure of assets, including luxury cars and cash. This case follows increased scrutiny of cybercriminals in Russia after U.S.-Russia discussions on cybercrime. Previous REvil members received sentences of up to six and a half years.

Four members of the REvil ransomware group—Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev—were convicted in Russia for their involvement in cyberattacks primarily targeting the U.S. They received sentences of four-and-a-half to six years but were released after the court deemed their time served sufficient. U.S. intelligence aided in their apprehension, but cooperation has since deteriorated following Russia's invasion of Ukraine. Another member, Yevgeniy Polyanin, remains at large.

Four members of the REvil ransomware group, Roman Muromsky, Andrei Bessonov, Mikhail Golovachuk, and Dmitry Korotaev, were released by a St. Petersburg court after serving time awaiting trial. They pleaded guilty to fraud and malware distribution but were sentenced to five years, deemed sufficient due to prior detention. Their activities targeted US citizens, involving credit card fraud. The court ordered Bessonov to surrender luxury vehicles and Korotaev to forfeit over $1 million.

McLaren Health Care reported a data breach affecting 743,000 patients due to a ransomware attack by the INC group in July 2024. The breach was discovered on August 5, 2024, but investigations concluded only on May 5, 2025. The attackers accessed systems from July 17 to August 3, 2024. While full names were confirmed exposed, other data types remain unspecified. This incident follows a previous breach in July 2023 involving the ALPHV/BlackCat group, impacting 2.2 million individuals.

McLaren Health Care is notifying 743,131 individuals about a cyberattack on Karmanos Cancer Institute, detected on August 5, 2024, after occurring on July 17. The breach compromised personal and protected health information, including names and social security numbers. McLaren is implementing additional safeguards and offers 12 months of free credit monitoring. This incident follows a previous attack in July 2023, affecting over 2 million individuals, claimed by the ALPHV/BlackCat group.

A data breach at McLaren Health Care has exposed the personal information of over 743,000 patients, including names, Social Security numbers, and medical records, occurring between July 17 and August 3, 2024. The breach involved McLaren and Karmanos Cancer Institute. The nature of the cyberattack remains unspecified. Recommendations for affected individuals include changing passwords, enabling two-factor authentication, and considering identity theft protection services.

McLaren Health Care experienced a data breach affecting over 743,000 individuals, with the cyberattack occurring between July 17 and August 3. Compromised information includes names, Social Security numbers, medical details, driver's license numbers, and health insurance information. The breach was disclosed in a notice to the Maine Attorney General. This incident follows a previous attack by the ALPHV/BlackCat ransomware group, which also exposed sensitive personal data.

A ransomware attack between July and August 2024 at McLaren Health Care and Karmanos Cancer Institute has compromised the data of 743,131 patients, including Social Security numbers and medical information. The breach was linked to the INC ransomware gang, although McLaren did not directly attribute the attack. IT systems were down, leading to canceled appointments. Affected individuals are offered a year of free credit monitoring and advised to monitor their accounts for suspicious activity.

On May 13, 2025, Nucor Corporation experienced a cyberattack, leading to unauthorized access to its IT systems. The company temporarily halted production at several facilities as a precaution and implemented emergency containment protocols. A forensic analysis confirmed limited data exfiltration. Nucor is reviewing the stolen data and will notify affected parties as required. All operations have resumed, and additional security measures have been enacted to prevent future breaches. Federal authorities are investigating the incident.

Nucor, a leading U.S. steel manufacturer, has restored operations after a May cyberattack that compromised limited data. The company believes it has removed the hackers and does not anticipate a significant financial impact. The incident temporarily affected access to certain functions and facilities. Nucor engaged external forensic experts for investigation and recovery, reinforcing its IT systems to prevent future attacks. Earnings are expected to be reported on July 28.

A new mobile malware named SparkKitty has been discovered in apps on Google Play and the Apple App Store, targeting both Android and iOS devices. It indiscriminately steals images from photo galleries, potentially targeting cryptocurrency wallet recovery phrases. Active since February 2024, it was found in apps like 币coin and SOEX, which have since been removed. Users are advised to scrutinize app permissions, avoid storing seed phrases on devices, and keep them offline. Google and Apple have been contacted for comments.

SparkKitty spyware targets both iPhone and Android devices, stealing images, particularly screenshots of cryptocurrency wallet seed phrases. Active since February 2022, it infiltrates devices through malicious apps like SOEX on Google Play and 币coin on the App Store. While SOEX has been removed, 币coin remains available. The malware requests photo access and exfiltrates images. Users are advised to avoid sideloading apps, limit app installations, and utilize security features like Google Play Protect to mitigate risks.

A new malware strain named SparkKitty is targeting iOS and Android users by sneaking onto official app stores. Discovered by Kaspersky in January 2025, it uses optical character recognition to steal cryptocurrency wallet recovery phrases from users' photos. SparkKitty has been distributed since February 2024, with one infected app, SOEX, downloaded over 10,000 times. Users are advised to verify app legitimacy, be cautious of excessive permissions, and securely store recovery phrases.

CoinMarketCap was hacked on Friday through a vulnerability in its animated logo, allowing attackers to display a phishing popup that stole nearly $45,000 from over 110 users. The malicious code, linked to the Inferno Drainer phishing kit, was active for a few hours. The threat actor, known as Zartix, is associated with the underground group The Com. Additionally, Aflac and Oxford experienced significant breaches, and a ransomware attack targeted Feng Chia University in Taiwan.

On June 20, 2025, CoinMarketCap identified a stored XSS vulnerability in a homepage doodle image that executed malicious code via API calls, leading to unauthorized JavaScript execution and pop-ups for users. The company promptly removed the image, conducted security audits, and enhanced protections, including stricter CORS policies, improved WAF rules, and real-time monitoring. All systems are operational, with ongoing user feedback monitoring and strengthened security measures to prevent future attacks.

On a recent Friday, CoinMarketCap suffered a crypto heist resulting in the theft of $43,266 from 110 users, utilizing the Inferno Drainer tool. Attackers lured users with a pop-up to verify wallets, enabling access to funds. While various cryptocurrencies were stolen, some drain attempts failed due to unsupported tokens or empty wallets. The incident was linked to malicious code from a doodle on the homepage, which CoinMarketCap has since remediated, ensuring all systems are operational and secure.